We have a product that allows people to schedule posts to Facebook. We have relied upon the offline access permission, which is scheduled to be removed on Dec 5th.

We think that we have implemented the correct 60 day session-extending logic, but are having difficulty testing.

We created a new test Facebook app and enabled the "December 2012 Breaking Changes" migration setting. A new user authorizes the new application (and we still request the offline_access permission). We then extend the session, which returns the same session token without an expires parameter. When we use the Access Token Debugger, it says that the tokens never expire.

We tried doing the authorization without passing the offline_access permission, but could never get an expiration beyond 5760 (4 hours), making it seem necessary to still pass.

We very much want to test the breaking change, but we cannot create the scenario in which sessions expire and must be continually extended. How can we test this?

2 Answers
2

Yes, I've tested this before. Below are the steps to test the 60-day tokens using the Debugger and a browser. You can adapt these calls for your app, and use some server-side logging to copy-paste the tokens into the Debugger to confirm the tokens' expiration date.

First, don't ask for offline_access anymore.

Use the Graph API Explorer to get an access token. Set Application: to your app. Below, my app is called ES1:

(Only apps you are an admin or developer for will appear in the "Applications" list)

Click the "Debug" button and confirm you have a short-lived token:

Note: No offline_access perms in the previous screenshot.

Do this call to exchange the short-lived token for a long-lived one. I just paste this into a browser. You will have this in your app's code:

The solution is that there is a second migration setting "Remove offline_access permission" that must also be enabled. Only when enabled with the "December 2012 Breaking Changes" migration setting will your application be able to obtain 60-day session tokens.

This has the unfortunate side effect of transforming existing never-expiring session tokens immediately into 60-day expiring tokens. Facebook said they would continue to honor existing never-expiring tokens, but given that both settings must be enabled, your application is forced to treat all users as having 60-day tokens.